Introducing Extra Web Security for Nginx Services

Apache has traditionally been the king of shared web hosting. It’s popular, stable, flexible, and well-supported across a wide variety of platforms. It’s certainly not, however, the only option available for serving HTTP traffic. Other alternatives, such as Nginx, have existed for a while, and are growing in usage as website owners demand greater levels of performance and scalability. I want to spend a bit of time examining Nginx, some of its benefits and drawbacks, and how we’re improving its provision to our customers as an alternative to traditional Apache servers.

At its core, Nginx is an incredibly efficient and powerful HTTP server. Its single-threaded, asynchronous request-handling model stands in contrast to Apache’s process-per-connection. By leveraging a fast event loop, a single Nginx process can scale to handle thousands of concurrent requests while maintaining minimal memory usage (in most common workloads, just a few dozen megabytes of RAM). Additionally, Nginx’s modular architecture allows developers and community members to build new solutions to extend Nginx functionality. In some cases open source module development has spawned active communities around extending Nginx functionality.

While we’ve long offered Nginx for VPS and dedicated servers as an alternative to the traditional Apache service, we haven’t provided all of the extra bells and whistles we do with Apache, particularly with respect to built-in application security. Historically, community-driven web application firewall solutions for Nginx have been a bit lackluster. SpiderLabs, the team behind the venerable ModSecurity solution for Apache, did build support for Nginx as community adoption of the alternate server grew, but stability and compatibility problems have plagued the fork for years. SpiderLabs is working on a new version of ModSecurity designed to be portable to a number of HTTP servers, but the endeavor is still very much in beta. Other WAF solutions for Nginx, such as Naxsi (a native Nginx module designed to prevent XSS and SQLi attacks), do exist, but lack the robustness and feature set that ModSecurity provides. Ultimately, no stable, turnkey, open source solution exists as an alternative to ModSecurity for Nginx — until now.

This project is built on the OpenResty platform, a software bundle combining the original Nginx project with the Lua interpreter and efficient JIT compiler. The platform allows users to quickly develop and scale applications using the Lua language, while leveraging the flexibility and power that Nginx provides. Lua-resty-waf seeks to provide a ModSecurity-compatible WAF feature set with Nginx, using the built-in LuaJIT compiler to provide an efficient application firewall platform capable of using existing ModSecurity rulesets.

Lua-resty-waf was originally written as part of my Master’s Thesis. The idea behind the project was to explore the costs, risks and requirements associated with developing a cloud WAF infrastructure, similar to what commercial cloud security providers like Cloudflare and Incapsula provide — and then provide that service free of charge. Totally unsustainable, of course, but as an academic exercise it was an educating experience. I decided to focus on releasing the source of the firewall engine powering the service, continuing to develop features and exploring new methods of anomalous and malicious behavior detection. As we examined our Nginx offering at DreamHost, we realized that we could leverage this project to provide the same application security that we do using ModSecurity for our Apache services.

Developing this project has been another big win for DreamHost’s commitment to contributing to open source projects. We’ve spent a good chunk of the last few months refactoring, adding new features, and testing the project, and we’re now offering it to users running on modern VPS and dedicated server platforms. This means Nginx users can now receive the same built-in security that we provide for Apache services, including:

Protection against zero-day threats for popular CMSes such as WordPress, Joomla, Drupal, and more

Monitoring of interactive platform functionality, such as blog comments, for spam, DDoS, and vulnerability exploit

Behavioral analysis of traffic based on hit rate and request target

All of this is provided seamlessly by the lua-resty-waf platform that is now bundled into modern VPS and dedicated servers (by modern, we mean servers running Ubuntu — if you haven’t upgraded, you should!). Enabling the security for your domain is as simple as checking the “Extra Web Security” box within your domain management panel:

So what are you waiting for? Check that security box and protect your site today!